diff options
Diffstat (limited to 'src/vendorcode/cavium/include/bdk/libbdk-trust')
-rw-r--r-- | src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-signed.h | 94 | ||||
-rw-r--r-- | src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-trust.h | 136 |
2 files changed, 230 insertions, 0 deletions
diff --git a/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-signed.h b/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-signed.h new file mode 100644 index 0000000000..601291c4bb --- /dev/null +++ b/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-signed.h @@ -0,0 +1,94 @@ +/***********************license start*********************************** +* Copyright (c) 2003-2017 Cavium Inc. (support@cavium.com). All rights +* reserved. +* +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that the following conditions are +* met: +* +* * Redistributions of source code must retain the above copyright +* notice, this list of conditions and the following disclaimer. +* +* * Redistributions in binary form must reproduce the above +* copyright notice, this list of conditions and the following +* disclaimer in the documentation and/or other materials provided +* with the distribution. +* +* * Neither the name of Cavium Inc. nor the names of +* its contributors may be used to endorse or promote products +* derived from this software without specific prior written +* permission. +* +* This Software, including technical data, may be subject to U.S. export +* control laws, including the U.S. Export Administration Act and its +* associated regulations, and may be subject to export or import +* regulations in other countries. +* +* TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SOFTWARE IS PROVIDED "AS IS" +* AND WITH ALL FAULTS AND CAVIUM INC. MAKES NO PROMISES, REPRESENTATIONS OR +* WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, WITH RESPECT +* TO THE SOFTWARE, INCLUDING ITS CONDITION, ITS CONFORMITY TO ANY +* REPRESENTATION OR DESCRIPTION, OR THE EXISTENCE OF ANY LATENT OR PATENT +* DEFECTS, AND CAVIUM SPECIFICALLY DISCLAIMS ALL IMPLIED (IF ANY) WARRANTIES +* OF TITLE, MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR A PARTICULAR +* PURPOSE, LACK OF VIRUSES, ACCURACY OR COMPLETENESS, QUIET ENJOYMENT, +* QUIET POSSESSION OR CORRESPONDENCE TO DESCRIPTION. THE ENTIRE RISK +* ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE LIES WITH YOU. +***********************license end**************************************/ + +/** + * @file + * + * Utility functions handling signed nad possibly encrypted files + * + * @defgroup signed Signed File IO + * @{ + */ + +/** + * Enumeration representing the possible data types in a signed file + */ +typedef enum +{ + BDK_SIGNED_IMAGE, /* BDK code image */ + BDK_SIGNED_DTS, /* Device tree file */ + BDK_SIGNED_PUB_KEY, /* Chain of trust public key, BDK proprietary format */ +} bdk_signed_data_t; + +/** + * Flags to pass to bdk_signed functions + */ +typedef enum +{ + BDK_SIGNED_FLAG_NONE = 0, /* Good for most files. Verfies as needed for trusted boot */ + BDK_SIGNED_FLAG_NOT_ENCRYPTED = 1 << 1, /* The file is not encrypted, even with trusted boot */ + BDK_SIGNED_FLAG_ALLOW_UNSIGNED = 1 << 2,/* File is not signed, even with trusted boot */ +} bdk_signed_flags_t; + +/** + * Load a file and verify its signature. If the file is encrypted, it is + * decrypted. If the file is compressed, it is decompressed. + * + * @param filename File to load + * @param loc Offset into file for image. This is normally zero for normal files. Device + * files, such as /dev/mem, will use this to locate the image. + * @param data_type Type of data in the file, enumerated by bdk_signed_data_t. This is required + * so the code can determine the file size before loading the whole file. + * @param flags Flags for controlling file loading + * @param filesize Set the size of the file if the file is loaded properly. If load fails, set to + * zero. + * + * @return Pointer to the data from the file, or NULL on failure + */ +extern void *bdk_signed_load(const char *filename, uint64_t loc, + bdk_signed_data_t data_type, bdk_signed_flags_t flags, uint64_t *filesize); + +/** + * Load the BDK's public signing key, which is signed by the Root of Trust + * + * @return Zero on success, negative on failure + */ +extern int bdk_signed_load_public(void); + +/** @} */ diff --git a/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-trust.h b/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-trust.h new file mode 100644 index 0000000000..693bed042e --- /dev/null +++ b/src/vendorcode/cavium/include/bdk/libbdk-trust/bdk-trust.h @@ -0,0 +1,136 @@ +#ifndef __BDK_TRUST_H__ +#define __BDK_TRUST_H__ +/***********************license start*********************************** +* Copyright (c) 2003-2017 Cavium Inc. (support@cavium.com). All rights +* reserved. +* +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that the following conditions are +* met: +* +* * Redistributions of source code must retain the above copyright +* notice, this list of conditions and the following disclaimer. +* +* * Redistributions in binary form must reproduce the above +* copyright notice, this list of conditions and the following +* disclaimer in the documentation and/or other materials provided +* with the distribution. +* +* * Neither the name of Cavium Inc. nor the names of +* its contributors may be used to endorse or promote products +* derived from this software without specific prior written +* permission. +* +* This Software, including technical data, may be subject to U.S. export +* control laws, including the U.S. Export Administration Act and its +* associated regulations, and may be subject to export or import +* regulations in other countries. +* +* TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SOFTWARE IS PROVIDED "AS IS" +* AND WITH ALL FAULTS AND CAVIUM INC. MAKES NO PROMISES, REPRESENTATIONS OR +* WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, WITH RESPECT +* TO THE SOFTWARE, INCLUDING ITS CONDITION, ITS CONFORMITY TO ANY +* REPRESENTATION OR DESCRIPTION, OR THE EXISTENCE OF ANY LATENT OR PATENT +* DEFECTS, AND CAVIUM SPECIFICALLY DISCLAIMS ALL IMPLIED (IF ANY) WARRANTIES +* OF TITLE, MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR A PARTICULAR +* PURPOSE, LACK OF VIRUSES, ACCURACY OR COMPLETENESS, QUIET ENJOYMENT, +* QUIET POSSESSION OR CORRESPONDENCE TO DESCRIPTION. THE ENTIRE RISK +* ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE LIES WITH YOU. +***********************license end**************************************/ + +/** + * @file + * + * Master include file for trusted boot support. Use bdk.h instead + * of including this file directly. + * + * @defgroup trust Trusted boot support + */ + +#include "bdk-signed.h" + +typedef enum +{ + BDK_TRUST_LEVEL_BROKEN, /* Trust is unknown or was broken during boot. Fatal error state */ + BDK_TRUST_LEVEL_NONE, /* Untrusted boot */ + BDK_TRUST_LEVEL_SIGNED, /* Trusted boot verified by ROTPK */ + BDK_TRUST_LEVEL_SIGNED_SSK, /* Trusted boot with SSK encryption */ + BDK_TRUST_LEVEL_SIGNED_BSSK,/* Trusted boot with BSSK encryption */ +} +bdk_trust_level_t; + +typedef struct +{ + uint64_t total_length; + uint32_t s[8]; +} bdk_sha256_state_t; + +/** + * Start a new SHA256 + * + * @param hash_state Hash state to initialize + */ +extern void bdk_sha256_init(bdk_sha256_state_t *hash_state); + +/** + * Update SHA256 for a data block + * + * @param hash_state Hash state + * @param data Data to hash + * @param size Size of the data in bytes + */ +extern void bdk_sha256_update(bdk_sha256_state_t *hash_state, const void *data, int size); + +/** + * Finish a SHA256 + * + * @param hash_state Hash state + * + * @return Pointer to the 64 byte SHA256 + */ +extern void *bdk_sha256_finish(bdk_sha256_state_t *hash_state); + +/** + * Perform AES128 encryption with CBC + * + * @param key Key to use for encryption. Should be a pointer to key memory. + * @param data Data to encrypt + * @param size Size of the data in bytes. Must be a multiple of 16 + * @param iv Initial vector. Set to 16 zero bytes for start, then use to chain multiple + * calls. + */ +extern void bdk_aes128cbc_encrypt(const void *key, void *data, int size, void *iv); + +/** + * Perform AES128 decryption with CBC + * + * @param key Key to use for decryption. Should be a pointer to key memory. + * @param data Data to decrypt + * @param size Size of the data in bytes. Must be a multiple of 16 + * @param iv Initial vector. Set to 16 zero bytes for start, then use to chain multiple + * calls. + */ +extern void bdk_aes128cbc_decrypt(const void *key, void *data, int size, void *iv); + +/** + * Called by boot stub (TBL1FW) to initialize the state of trust + */ +extern void __bdk_trust_init(void); + +/** + * Returns the current level of trust. Must be called after + * __bdk_trust_init() + * + * @return Enumerated trsut level, see bdk_trust_level_t + */ +extern bdk_trust_level_t bdk_trust_get_level(void); + +/** + * Return the current secure NV counter stored in the fuses + * + * @return NV counter (0-31) + */ +extern int bdk_trust_get_nv_counter(void); + +#endif |